Legal
Cookie Policy
Last updated: April 26, 2026
The Short Version
- We use a small number of first-party cookies needed to keep you signed in and prevent automated abuse.
- We do not use advertising cookies, do not embed third-party tracking pixels, and do not share cookie data with advertising networks.
- We do not need a consent pop-up because all cookies we set are either strictly necessary or are first-party performance cookies that you can disable in your browser at any time.
- We honor the Global Privacy Control (GPC) signal. If your browser sends
Sec-GPC: 1, we will not set non-essential cookies (currently: the affiliate referral cookie).
Cookie Inventory
| Cookie | Category | Duration | Source |
|---|---|---|---|
mbs_pack Subscription authentication. HMAC-signed token identifying an active Family or Pro subscriber. Used to grant access to paid features without a login form. | Strictly necessary | Up to 90 days | First-party |
mbs_ref Affiliate referral attribution. Stores a referral identifier when a visitor arrives via an affiliate link, so the affiliate is credited if the visitor later subscribes. First-party only — no third-party network reads this cookie. | Performance | 60 days | First-party |
__cf_bm / cf_clearance Cloudflare Turnstile bot protection. Verifies that a human is using the upload form. Required to prevent automated abuse of our analysis API. | Security | Session to 30 minutes | Third-party (Cloudflare) |
Third-Party Domains
When you complete a paid checkout, you are redirected to checkout.stripe.com, which sets its own cookies under Stripe’s domain to process your payment. Those cookies are governed by Stripe’s cookie policy, not ours. We do not receive payment-card data and do not read Stripe’s cookies.
What We Do Not Use
- No Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, or similar advertising/tracking pixels.
- No cross-context behavioral advertising. We do not “sell” or “share” personal information as those terms are defined under the California Consumer Privacy Act.
- No session-replay or screen-recording technology.
- No fingerprinting libraries.
Your Choices
You can disable cookies entirely in your browser settings. If you do, the Service may not work as expected — most notably, your subscription authentication will not persist between visits.
To opt out of the affiliate referral cookie specifically, enable the Global Privacy Control signal in your browser (instructions at globalprivacycontrol.org) or email us at privacy@medibillsaver.com.
Related Policies
- Privacy Policy — overall data handling
- Consumer Health Data Privacy Policy — Washington MHMDA-specific terms
Contact
Cookie questions: privacy@medibillsaver.com